Merge upstream/main (11 commits): iOS dismiss-sync, sidebar perf, founder welcome

PRs included:
- iOS notifications cross-device dismiss-sync + authoritative unread count
- iOS workspace row actions (manaflow-ai#6022)
- Sidebar perf: kill LazyVStack layout livelock (manaflow-ai#6019 + manaflow-ai#6024)
- iOS sign-out local-first offline-safe revocation
- iOS workspace list groups, unread dots, last-activity previews
- Refresh notification fallback sound DnD
- Email Founder's Edition customers welcome via Resend webhook
- Misc swift-file-length-budget refresh + extract NotificationSoundSettings
- cloud-testflight --marketing-version override

Fork-side adjustments:
- Drop fork's mobileAllowsWorkspaceAction static helper from TerminalController:
  upstream put it in Sources/TerminalController+MobileNotificationSync.swift
- Restore fork's renameTopLevelLayoutTabContaining and
  closeTopLevelLayoutTabContaining methods on Workspace (TerminalController
  v2WorkspaceTopTabRename/Close call sites depended on them)
- pbxproj keep-both for upstream new files + fork P41 entries
- Budget tsv merged via max-per-path script

Author: wowdd1

.github/swift-file-length-budget.tsv

@@ -61,7 +61,7 @@
 19265	Sources/ContentView.swift
 924	Sources/DockPanelView.swift
 1365	Sources/Feed/FeedButtonStyleDebugWindowController.swift
-1239	Sources/Feed/FeedCoordinator.swift
+1255	Sources/Feed/FeedCoordinator.swift
 3937	Sources/Feed/FeedPanelView.swift
 574	Sources/Feed/FeedTextEditorDebugWindowController.swift
 680	Sources/FileExplorerSearchController.swift
@@ -74,6 +74,7 @@
 2039	Sources/KeyboardShortcutSettingsFileStore.swift
 768	Sources/MainWindowFocusController.swift
 2340	Sources/Mobile/MobileHostService.swift
+690	Sources/NotificationSoundSettings.swift
 681	Sources/Panels/AgentSessionProcessStore.swift
 756	Sources/Panels/AgentSessionWebRendererCoordinator.swift
 554	Sources/Panels/BrowserAutomation.swift
@@ -115,7 +116,7 @@
 1144	Sources/VaultAgentProcessScanner.swift
 1751	Sources/WindowDragHandleView.swift
 546	Sources/Windowing/WindowGlassEffect.swift
-19985	Sources/Workspace.swift
+19990	Sources/Workspace.swift
 878	Sources/WorkspaceContentView.swift
 627	Sources/WorkspaceRemoteConfiguration.swift
 5462	Sources/cmuxApp.swift

Packages/CmuxAuthRuntime/Sources/CmuxAuthRuntime/BrowserSignIn/HostBrowserSignInFlow.swift

@@ -345,6 +345,21 @@ public final class HostBrowserSignInFlow {
             try await coordinator.completeExternalSignIn()
         } catch {
             log.log("auth.callback completion failed: \(error)")
+            // No flow-side seed clear here, deliberately. When a sign-out
+            // raced the validation round trip, the seeds were already in the
+            // store when the coordinator's local-first clear ran (they are
+            // seeded before `completeExternalSignIn`), so the coordinator's
+            // clear owns wiping them. Clearing here instead RACES that
+            // sign-out: the flow bumps `signOutGeneration` before the
+            // coordinator captures the teardown credentials with raw store
+            // reads, so a clear from this catch can empty the store inside
+            // the capture window and silently strip the best-effort server
+            // teardown (push unregister, session revocation) of its
+            // credentials. A coordinator-level cancellation without a
+            // sign-out (a concurrent publish) must not clear either: in
+            // production the published session is typically authenticated by
+            // these very tokens (same shared store), and clearing them would
+            // strand it.
             return false
         }
         log.log("auth.callback.coordinator.complete.end attempt=\(attemptID.map(String.init) ?? "external") signedIn=\(coordinator.isAuthenticated)")

Packages/CmuxAuthRuntime/Sources/CmuxAuthRuntime/Client/AuthClient.swift

@@ -60,6 +60,45 @@ public protocol AuthClient: Sendable {
     ///   - anchor: The presentation-anchor provider for the auth UI.
     func signInWithOAuth(provider: String, anchor: any AuthPresentationAnchoring) async throws
 
-    /// Clear the persisted Stack session (tokens) for the current device.
-    func signOut() async throws
+    /// The access token exactly as stored, with no freshness check and no
+    /// network refresh (unlike ``accessToken()``, which may mint a new token
+    /// over the network when the stored one looks stale).
+    ///
+    /// For capturing the credentials a best-effort server-side teardown needs
+    /// before ``clearLocalSession()`` destroys them; never blocks on
+    /// connectivity.
+    func storedAccessToken() async -> String?
+
+    /// Clear the locally persisted session (tokens) without any network call.
+    /// The device is signed out once this returns, regardless of connectivity.
+    func clearLocalSession() async
+
+    /// Clear the locally persisted session only while the stored refresh
+    /// token still equals `refreshToken`: an atomic compare-and-clear at the
+    /// token store. For stale-session cleanup that can race a fresh sign-in's
+    /// store write; a store that changed owners after the cleanup decision is
+    /// left alone. User-intent sign-out keeps using the unconditional
+    /// ``clearLocalSession()``.
+    func clearLocalSession(ifRefreshTokenMatches refreshToken: String) async
+
+    /// Revoke the server-side session the captured token pair authenticates,
+    /// without touching local token storage (the local session is typically
+    /// already cleared by ``clearLocalSession()`` when this runs).
+    ///
+    /// Best-effort by contract: callers bound it with a deadline and log
+    /// failures rather than letting revocation gate sign-out.
+    func revokeSession(accessToken: String?, refreshToken: String?) async throws
+
+    /// A likely-valid access token for an explicit captured token pair,
+    /// resolved through an ephemeral store that never touches local token
+    /// storage: the captured access token when still fresh, else one freshly
+    /// minted from the captured refresh token.
+    ///
+    /// For the sign-out teardown: the raw capture can hold an expired access
+    /// token (or none on a refresh-only store), and the cmux API
+    /// authenticates with the Bearer + refresh header pair, so the bounded
+    /// best-effort teardown needs a usable access token even though the local
+    /// session is already cleared. Best-effort: returns `nil` when no token
+    /// could be resolved (offline, dead server).
+    func freshAccessToken(accessToken: String?, refreshToken: String) async -> String?
 }

Packages/CmuxAuthRuntime/Sources/CmuxAuthRuntime/Client/StackAuthClient.swift

@@ -81,8 +81,39 @@ public struct StackAuthClient: AuthClient {
         try await stack.signInWithOAuth(provider: provider, presentationContextProvider: anchor)
     }
 
-    public func signOut() async throws {
-        try await stack.signOut()
+    /// The access token exactly as stored: a raw read, no freshness check,
+    /// no network refresh. See ``AuthClient/storedAccessToken()``.
+    public func storedAccessToken() async -> String? {
+        await stack.getStoredAccessToken()
+    }
+
+    /// Clear the locally persisted Stack session unconditionally, with no
+    /// network call. See ``AuthClient/clearLocalSession()``.
+    public func clearLocalSession() async {
+        await stack.clearStoredTokens()
+    }
+
+    /// Compare-and-clear the locally persisted Stack session, atomic at the
+    /// SDK token store. See
+    /// ``AuthClient/clearLocalSession(ifRefreshTokenMatches:)``.
+    public func clearLocalSession(ifRefreshTokenMatches refreshToken: String) async {
+        await stack.clearStoredTokens(ifRefreshTokenEquals: refreshToken)
+    }
+
+    /// Revoke the server-side session the captured token pair authenticates,
+    /// through an ephemeral token store that never writes to the app's real
+    /// keychain. See ``AuthClient/revokeSession(accessToken:refreshToken:)``.
+    public func revokeSession(accessToken: String?, refreshToken: String?) async throws {
+        // Nothing to authenticate the DELETE with; skip the round trip.
+        guard accessToken != nil || refreshToken != nil else { return }
+        try await stack.revokeSession(accessToken: accessToken, refreshToken: refreshToken)
+    }
+
+    /// A likely-valid access token for an explicit captured pair, resolved
+    /// without touching local token storage. See
+    /// ``AuthClient/freshAccessToken(accessToken:refreshToken:)``.
+    public func freshAccessToken(accessToken: String?, refreshToken: String) async -> String? {
+        await stack.likelyValidAccessToken(accessToken: accessToken, refreshToken: refreshToken)
     }
 
     private static func mapped(_ user: CurrentUser) async -> CMUXAuthUser {